.htaccess file doesnt work

Username (e.g. epiz_XXX) or Website URL


Error Message

Missing Headers;

Other Information

I try to hardening the header by a .htaccess file, but it doesnt work.

  1. Write rules from this Hardening your header in the .thaccess file
  2. I upload the .htaccess file in the htdocs folder
  3. check the header but no working

This sounds like a site for if you can self-hosting. Can you tell us what you are trying to achieve? Also, make sure you created a new .htaccess file in the /htdocs folder, and that you are not editing the one in the folder root.

Setting headers through either .htaccess rules of PHP should just work fine.

But note that some online validation tools may not see it because they are stopped by this:


this is the .htaccess file

#START HTTP Security Header
#Content Security Policy - CSP-HEADER
# Lade Inhalte nur von Seiten die explizit erlaubt sind
# Beispiel: Alles von der eigenen Domain erlauben, keine Externas:
Header set Content-Security-Policy "default-src 'none'; frame-src 'self'; font-src 'self'; img-src 'self'; object-src 'self'; script-src 'self'; style-src 'self';"
Header set Permissions-Policy "accelerometer=(); autoplay=('self'); camera=(); encrypted-media=(); fullscreen; geolocation=('self'); gyroscope=(); magnetometer=(); microphone=(); midi=(); payment=(); picture-in-picture=('self'); usb=()"
Header set Content-Security-Policy: upgrade-insecure-requests
Header set Cross-Origin-Resource-Policy: same-origin
Header set Cross-Origin-Opener-Policy: same-origin-allow-popups
Header set Cross-Origin-Embedder-Policy: require-corp
Header set Cross-Origin-Opener-Policy-Report-Only: same-origin-allow-popups
#HTTP Content-Types
AddCharset UTF-8 .html
AddType 'text/html; charset=UTF-8' html
#Public Key Pins
Header set Public-Key-Pins "pin-sha256=\"base64+primary==\"; pin-sha256=\"base64+backup==\"; max-age=5184000; includeSubDomains"
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Xss-Protection "1; mode=block"
Header set Referrer-Policy "no-referrer"
#CORS Enabled
Header set Access-Control-Allow-Origin 'origin-list'
#Disable server signature
Header unset X-Powered-By
ServerSignature Off
RewriteCond %{QUERY_STRING} PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC]
RewriteRule .* - [F]
#END HTTP Security Header

this is the test service

how I can test the http header security?

With an another security scanner I got a security problen by DOMXSS-Sources

I wannna realize a login without js and a secure header. How I can do and test this?

I’m not sure you can. If there is a security scanner than executes Javascript, then it should work, but I don’t know if they exist.

But you can just open the site yourself, check the Network tab and view the response headers there. If those match what you’ve set in the .htaccess file, then your rules are probably good.


Ok, thanx a lot for this fast answer, I will do further research. At least one question ,is it possible to get a list of working .htaccess directives?

I don’t have a list of that, no. That said, most popular .htaccess statements should be supported. So most mod_rewrite stuff, adding headers, blocking IPs and so on should all be possible.


This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.